The current security state of industrial control systems (ICS) is a perplexing one. On the one hand, Kaspersky Lab found in a recent report that a majority of organizations (75 percent) regard ICS security as a major priority. On the other hand, organizations aren’t implementing the proper safeguards to secure their industrial control systems. The Kaspersky study uncovered that many organizations (67 percent) still aren’t compliant with mandatory industry or government guidance surround ICS security, for instance, while 10 percent of organizations still don’t measure the number of incidents and breaches that they’ve experienced. Clearly, organizations have not sufficiently protected their ICS infrastructure. Such neglect has left many industrial environments vulnerable to an industrial digital security event. Caused by human error, equipment failure or malicious activity, an industrial digital security event weakens an organization’s ability to view, monitor and control their industrial processes. Such an incident can cause vital systems to malfunction and thereby jeopardize the public’s safety.
Vulnerability and Visibility: The Two “V’s” of ICS Security
Fortunately, there’s a path for organizations to strengthen the security of their industrial control systems. It involves confronting the two “v’s” of ICS security: vulnerability and visibility.
First, organizations must address the vulnerabilities that affect their ICS assets. This is an important step in the ICS security process, as industrial organizations tend to retain their assets and controls past these technologies’ average lifecycle of 15 years. By keeping them on, industrial organizations invite digital attackers to leverage these older, vulnerable devices in order to gain access to their networks and compromise their industrial processes. Organizations need to mitigate vulnerabilities that affect their industrial assets wherever possible. All things considered, creating a robust vulnerability management program is a good place to start. Industrial organizations should make sure they extend this program across their environments including to the cloud. Doing so will help maintain data integrity and system availability as information continues to flow between the OT and IT network layers.
Second, industrial organizations need to strengthen the visibility of their environments. They can’t protect ICS devices, systems and networks including those responsible for controlling critical infrastructures, if they’re unaware of their existence. Otherwise, they simply use ignorance to assume that they’re secure, thereby placing them into a position of reacting to security incidents instead of proactively defending against them. Even if they are aware of these devices, industrial organizations can still expose themselves to risk by not consistently implementing security measures such as configuration controls. Organizations can begin to improve their visibility over their environments by building an inventory of their industrial technologies. This effort should involve discovering all assets connected to the network, cataloging all asset configurations and diagramming the network. Only then can organizations concentrate on securing the industrial network and its endpoints. Gary DiFazio, a digital security expert at Tripwire, notes how organizations can and should tailor their security efforts to their unique needs. Subsequently, any security controls at which they arrive should also act in the interest of the business. As he explains in a blog post:
We need to be cognizant that “what is a good cyber security control or best practice (configuration management), will also be a good operational control.” This means that the best practices we can perform to mitigate risk for industrial cyber security events will also be effective controls for ensuring operational uptime or availability. They will also give us the ability to reduce the mean time to repair (MTTR) for operational and cyber security event outages when, not if, they happen.
That being said, organizations would be wise to explore how they can implement certain best practices in the industrial environments. First, they should use network segmentation between production cells and key mission critical systems/devices such as PLCs and RTUs. Second, they should use an industrial standard or best practice like IEC62443 or NIST SP 800-82 to harden devices such as HMIs, PLCs, Engineering workstations, Historians and other technologies. Third, they should centralize remote access with strong authentication by creating a DMZ for all connections and implementing MFA. With these security controls in place, organizations can move onto continuous monitoring. DiFazio feels this step can help organizations answer key questions about their industrial environments such as “How do I know if my device/asset configurations are changing?” and “How do I know if my operational baselines are changing?” As he explains in another blog post:
Just like you have a SCADA to help optimize and control your industrial process, you need a “SCADA”-like cybersecurity solution to help optimize and control visibility to industrial cybersecurity events and ensure the protective controls you have implemented are operating correctly. This is not a one-and-done activity. This needs to be performed continuously.
On Strengthening ICS Security
It’s important that organizations use a vulnerability management program in tandem with network visibility, security controls and continuous monitoring to strengthen their ICS security. This is a lot to do for organizations to do on their own. That’s why they should look for help and consider investing in a sophisticated security solution. Learn how Tripwire can help by downloading this whitepaper.